Hi Jesus, I'm having the same problem, and the triggering of this rule causes so much noise that it's drowning out other alerts. I have added a rule like you suggested to my local rules:
<rule id="100510" level="0" frequency="0" timeframe="45" ignore="600"> <if_matched_sid>510</if_matched_sid> <regex>/var/lib/docker/volumes/\.*/_data/\.* is owned by root and has written permissions to anyone</regex> <description>Ignore rootcheck warning on world-writable docker volumes</description> </rule> But it doesn't seem to have an effect. I've played with the regex, simplifying it and even deleting it altogether, but I still can't seem to get it working. Logtest shows the following output: File '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' is owned by root and has written permissions to anyone. **Phase 1: Completed pre-decoding. full event: 'File '/var/lib/docker/volumes/ 81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/ to/static/fonts/icons/glyphicons-social-regular.eot' is owned by root and has written permissions to anyone.' hostname: 'ec2-12-34-56-78' program_name: '(null)' log: 'File '/var/lib/docker/volumes/ 81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/ to/static/fonts/icons/glyphicons-social-regular.eot' is owned by root and has written permissions to anyone.' **Phase 2: Completed decoding. No decoder matched. I'm fairly new to OSSEC and Wazuh, so I may be missing something. Is there anything obvious that I'm doing wrong? Cheers! Gert On Wednesday, April 19, 2017 at 12:14:28 AM UTC+12, Jesus Linares wrote: > > Hi Rob, > > you need to add the conditions to trigger that rule only for your specific > files. Use match or regex: > > <rule id="70908" level="0" frequency="0" timeframe="45" ignore="600"> > <if_matched_sid>510</if_matched_sid> > <!-- > contitions: > option 1: > <match>YOUR_FILE1|YOUR_FILE2|...</match> > option 2: > <regex>YOUR_FILE\.+</regex> > --> > <description>Ignore rule 510 for 600 seconds for some files. > </description> > </rule> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.